Introduction
When a workspace is deleted in HCP Terraform or Terraform Enterprise, you can find details about who deleted the workspace and when the deletion occurred. The procedure to retrieve this information differs between HCP Terraform and Terraform Enterprise.
This article describes the steps to find deletion details for each product.
Procedure
Option 1: Using the HCP Terraform API
HCP Terraform retains audit log information for 14 days, which includes details on workspace deletions. You can access this information using the Audit Trails API. For more details, refer to the Audit Trails API documentation.
Prerequisites
- You have the jq command-line tool installed.
- You have an organization API token available.
- The workspace ID is helpful for identification but is not required.
Steps
-
Set your organization token as an environment variable. Replace
<your-organization-token>with your token.$ export TOKEN=<your-organization-token>
-
Query the Audit Trails API to find all workspaces deleted after a specific date. Adjust the
sinceparameter to your desired timestamp.$ curl \ --header "Authorization: Bearer $TOKEN" \ --request GET \ "https://app.terraform.io/api/v2/organization/audit-trail?since=2022-06-24T17:52:46.000Z" | \ jq '[.data[] | select(.resource.action|test("destroy")) | select(.resource.type|test("workspace"))]'The command returns a JSON object for each deleted workspace. Note the
accessor_idfrom the output, which identifies the user who performed the action.{ "id": "9860030d-b6a3-4cdf-aad1-edababbc6a47", "version": "0", "type": "Resource", "timestamp": "2022-06-27T09:58:51.000Z", "auth": { "accessor_id": "user-gH8emuYZYxTi5w7K", "description": "example-user", "type": "Client", "impersonator_id": null, "organization_id": "org-Q9Ao32MNTMUtsxUs", "organization_name": "example-org" }, "request": { "id": "7308733e-ec44-45d7-fb48-3e6b443cfac5" }, "resource": { "id": "ws-P6jBfzaapo5sdegF", "type": "workspace", "action": "destroy", "meta": null } } -
Use the
accessor_idto retrieve details about the user who deleted the workspace.$ curl \ --header "Authorization: Bearer $TOKEN" \ --header "Content-Type: application/vnd.api+json" \ --request GET \ https://app.terraform.io/api/v2/users/<change_to_your_accessor_id> | jq .data
The command returns details for the specified user.
{ "id": "user-gH8emuYZYxTi5w7K", "type": "users", "attributes": { "username": "example-user", "is-service-account": false, ## ... } }
Option 2: Using Terraform Enterprise Support Bundles
The Audit Trails API is not available for Terraform Enterprise. Instead, you can find workspace deletion details by generating and inspecting a support bundle, which contains the necessary log files.
Prerequisites
- You have generated a Terraform Enterprise support bundle. For instructions, see the guide on How to Generate a Support Bundle in Terraform Enterprise.
Steps
- Unpack the support bundle archive.
- Navigate into the unzipped directory from your command line.
-
Search the application logs for all workspace
destroyactions.$ grep '"action":"destroy"' primary/app/logs/*atlas.stdout | grep '"resource":"workspace"'
The command returns log entries that match the search criteria, including the organization, actor, and IP address associated with the deletion.
2022-06-28 13:22:12 [INFO] [81a68968-4476-4f8f-ae34-9ddbea65de65] [Audit Log] {"resource":"workspace","action":"destroy","resource_id":"ws-es8ssXQuGVC9mZFg","organization":"test","organization_id":"org-DfvRy1SKJ5qydr19","actor":"admin","timestamp":"2022-06-28T13:22:12Z","actor_ip":"192.0.2.1"}